W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid

From: Fred Andrews <fredandw@live.com>
Date: Sun, 16 Sep 2012 15:46:23 +0000
Message-ID: <BLU002-W223064C0BECB9589C4F0DEFAA960@phx.gbl>
To: "Hill, Brad" <bhill@paypal-inc.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>

Dear Brad,

Thank you again for the insights.

I appreciate that the w3c might view fingerprinting and tracking as inevitable, but their options appear to be rather constrained by interest groups.  Users do not have such constraints and UA development driven by user needs may well be able to address this issue.

Note that the firefox 'noscript' extension webpage currently reports 2,180,733 users, and the Ghostery extension 675,177 users.  There is some interest in such tools - even if they have knobs on them.

CSP could have also helped improve safety for users interested in privacy and could have complemented their needs, so it is a bit disappointing that their needs can not be considered.

It should be possible for content servers to choose to support both the published CSP and users interested in privacy by not requiring reports be returned, not depending on being able to trip their own restrictions, and not depending on DOM access.

Policy based solutions to tracking, such as DNT, just increase the fingerprint surface - its good for a laugh though.

There are many sources of leaks, but there are technical solutions to address large classes of these leaks.  I see it as quite practical for children and new web users to start with such UAs as they would be inherently safer and less of a cognitive burden.

It is true that a privacy sensitive UA would be identifiable from current standard UAs - it can probably not all be spoofed well.  These UAs would need a significant share of usage for protection.   By design and necessity they would all want to appear the same which would help improve their share.  Privacy is not an all-or-nothing matter, and improved privacy and safety may well be enough for many users.


From: bhill@paypal-inc.com
To: fredandw@live.com; eoftedal@gmail.com; w3c@adambarth.com
CC: public-webappsec@w3.org
Date: Fri, 14 Sep 2012 22:16:10 +0000
Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid

The rough consensus of folks at the W3C these days seems to be that, as currently built, tracking/fingerprinting is an almost inevitable and unavoidable consequence
 of the general-purpose web browser.  Thatís not a value judgment, just a statement of fact thatís becoming more true every day. 

Thatís why the Tracking Protection Working Group (http://www.w3.org/2011/tracking-protection/) is
 focusing on a policy-based solution rather than trying to make tracking technically impossible. 

Users who seek to avoid the technical possibility that their browser will be fingerprinted really need to seek out a user agent that is specifically designed
 with that goal in mind.  Even if we surfaced to the user the option to disable reports, other parts, or all of CSP, it would only be a small part of a giant list of such opt-outs the user agent would need to provide for meaningful protection.  Such a list
 would be unapproachable by the average user, and just the act of customizing it would likely result in a browser thatís even more uniquely identifiable than the one they started with.
Weíre not trying to shirk responsibility here, but itís just not a problem we can solve in this group, or even incrementally provide options that are meaningful
 to more than a vanishingly small fraction of users.
-Brad Hill

From: Fred Andrews [mailto:fredandw@live.com]

Sent: Friday, September 14, 2012 8:12 AM

To: Erlend Oftedal; Adam Barth

Cc: public-webappsec@w3.org

Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid



> From: 

> Date: Thu, 13 Sep 2012 22:12:44 -0700

> To: fredandw@live.com; 

> CC: public-webappsec@w3.org

> Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid


> But is there really a way of removing the possibility of detecting if

> CSP is implemented? The website could always just have the browser

> visit some pages with CSP enabled and see which requests come through.

Yes, if the reporting is opt-in and violations are reported to the user and cause

the embedded widget to halt.   Servers would not be able to probe using the report-only

return channel, and content that tried to trip its own restrictions to probe the clients

implementation could be detected by the client and alert the user or be inhibited.



Received on Sunday, 16 September 2012 15:46:50 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 13:26:30 UTC